Skip to Content

Security & Compliance

Lynx Compliance - Azure Connector

Pulls compliance evidence from Azure Resource Manager - subscriptions, VMs, Storage Accounts (with public-access checks), Key Vaults, NSGs, RBAC role assignments, activity log - via OAuth2 client-credentials auth.

Talk to sales See pricing

lynx_compliance_connector_azure · v19.0.1.0.0 · Premium

What this solves

Lynx Compliance - Azure Connector

Compliance evidence from Azure Resource Manager. Sister to the Microsoft 365 / Entra ID connector (which covers the identity surface) — this one covers the resource surface: subscriptions, VMs, Storage Accounts, Key Vaults, Network Security Groups, RBAC, and the Resource Manager activity log.

Authentication is OAuth2 client-credentials (same shape as the Microsoft 365 connector, different scope). The customer registers an Entra ID application, grants it the Reader role on the subscription(s) in scope, and pastes {tenant_id, client_id, client_secret} as JSON into credential_secret.

Required Azure RBAC roles on the subscription scope:

  • Reader (catch-all read-only — recommended)

Alternatively, finer-grained: - Storage Blob Data Reader (storage account properties) - Key Vault Reader (Key Vault inventory) - Reader and Data Access (NSG flow logs) - Monitoring Reader (activity log)

Key Features

  • Azure connector type - JSON {tenant_id, client_id, client_secret} in credential_secret + optional config_json.subscription_id (scopes resource pulls; otherwise walks all visible subscriptions).

  • Eight resource pulls - subscriptions, resource groups, VMs, Storage Accounts, Key Vaults, Network Security Groups, role assignments, activity log (90d).

  • Pre-seeded collectors - five collectors covering ID.AM-01 (VMs), PR.DS-05 (storage public-access posture), PR.DS-01 (Key Vaults), PR.AA-05 (role assignments), DE.CM-01 (activity log).

  • Token auto-refresh via cached client-credentials grant; reused across all resource pulls within one cron run.

  • Per-API-version routing - each resource type calls Azure with its own current ?api-version=... query param.

Integrates With

  • lynx_compliance_connectors - registers under the connector framework.

  • lynx_compliance_evidence_collectors - shipped collectors use the standard schedule.

  • Azure Resource Manager via the requests HTTP client.

Depends on

base lynx_compliance lynx_license_enforcer lynx_base lynx_compliance_evidence_collectors lynx_compliance_connectors lynx_compliance_certification

Try Lynx Compliance - Azure Connector on your team.

Free trial, no credit card. Talk to sales when you're ready.

Start free trial Browse all modules